TO PROTECT THE PRIVACY OF PROTECTED HEALTH
INFORMATION IN OVERSIGHT INVESTIGATIONS

By the authority vested in me as President of the United States by
the Constitution and the laws of the United States of America, it is
ordered as follows:

Section 1. Policy.

It shall be the policy of the Government of the United States that
law enforcement may not use protected health information concerning an
individual that is discovered during the course of health oversight
activities for unrelated civil, administrative, or criminal
investigations of a non-health oversight matter, except when the balance
of relevant factors weighs clearly in favor of its use. That is,
protected health information may not be so used unless the public
interest and the need for disclosure clearly outweigh the potential for
injury to the patient, to the physician-patient relationship, and to the
treatment services. Protecting the privacy of patients' protected
health information promotes trust in the health care system. It
improves the quality of health care by fostering an environment in which
patients can feel more comfortable in providing health care
professionals with accurate and detailed information about their
personal health. In order to provide greater protections to patients'
privacy, the Department of Health and Human Services is issuing final
regulations concerning the confidentiality of individually identifiable
health information under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). HIPAA applies only to "covered
entities," such as health care plans, providers, and clearinghouses.
HIPAA regulations therefore do not apply to other organizations and
individuals that gain access to protected health information, including
Federal officials who gain access to health records during health
oversight activities.

Under the new HIPAA regulations, health oversight investigators
will appropriately have ready access to medical records for oversight
purposes. Health oversight investigators generally do not seek access
to the medical records of a particular patient, but instead review large
numbers of records to determine whether a health care provider or
organization is violating the law, such as through fraud against the
Medicare system. Access to many health records is often necessary in
order to gain enough evidence to detect and bring enforcement actions
against fraud in the health care system. Stricter rules apply under the
HIPAA regulations, however, when law enforcement officials seek
protected health information in order to investigate criminal activity
outside of the health oversight realm.

In the course of their efforts to protect the health care system,
health oversight investigators may also uncover evidence of wrongdoing
unrelated to the health care system, such as evidence of criminal
conduct by an individual who has sought health care. For records
containing that evidence, the issue thus arises whether the information
should be available for law enforcement purposes under the less
restrictive oversight rules or the more restrictive rules that apply to
non-oversight criminal investigations.

A similar issue has arisen in other circumstances. Under 18 U.S.C.
3486, an individual's health records obtained for health oversight
purposes pursuant to an administrative subpoena may not be used against
that individual patient in an unrelated investigation by law enforcement
unless a judicial officer finds good cause. Under that statute, a
judicial officer determines whether there is good cause by weighing the
public interest and the need for disclosure against the potential for
injury to the patient, to the physician-patient relationship, and to the
treatment services. It is appropriate to extend limitations on the use
of health information to all situations in which the government obtains
medical records for a health oversight purpose. In recognition of the
increasing importance of protecting health information as shown in the
medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is
necessary. It is, therefore, the policy of the Government of the United
States that law enforcement may not use protected health information
concerning an individual, discovered during the course of health
oversight activities for unrelated civil, administrative, or criminal
investigations, against that individual except when the balance of
relevant factors weighs clearly in favor of its use. That is, protected
health information may not be so used unless the public interest and the
need for disclosure clearly outweigh the potential for injury to the
patient, to the physician-patient relationship, and to the treatment
services.

Sec. 2. Definitions.

(a) "Health oversight activities" shall include the oversight

activities enumerated in the regulations concerning the
confidentiality of individually identifiable health information
promulgated by the Secretary of Health and Human Services pursuant
to the "Health Insurance Portability and Accountability Act of
1996," as amended.

(b) "Protected health information" shall have the meaning ascribed to

it in the regulations concerning the confidentiality of
individually identifiable health information promulgated by the
Secretary of Health and Human Services pursuant to the "Health
Insurance Portability and Accountability Act of 1996," as amended.

(c) "Injury to the patient" includes injury to the privacy interests of

the patient.

Sec. 3. Implementation.

(a) Protected health information concerning an individual patient

discovered during the course of health oversight activities shall
not be used against that individual patient in an unrelated civil,
administrative, or criminal investigation of a non-health oversight
matter unless the Deputy Attorney General of the U.S Department of
Justice, or insofar as the protected health information involves
members of the Armed Forces, the General Counsel of the U.S.
Department of Defense, has authorized such use.

(b) In assessing whether protected health information should be used

under subparagraph (a) of this section, the Deputy Attorney General
shall permit such use upon concluding that the balance of relevant
factors weighs clearly in favor of its use. That is, the Deputy
Attorney General shall permit disclosure if the public interest and
the need for dis-closure clearly outweigh the potential for injury
to the patient, to the physician-patient relationship, and to the
treatment services.

(c) Upon the decision to use protected health information under

subparagraph (a) of this section, the Deputy Attorney General, in
determining the extent to which this information should be used,
shall impose appropriate safeguards against unauthorized use.

(d) On an annual basis, the Department of Justice, in consultation

with the Department of Health and Human Services, shall provide to
the President of the United States a report that includes the
following information:
(i) the number of requests made to the Deputy Attorney General
for authorization to use protected health information
discovered during health oversight activities in a non-health
oversight, unrelated investigation;
(ii) the number of requests that were granted as applied for,
granted as modified, or denied;
(iii) the agencies that made the applications, and the number
of requests made by each agency; and
(iv) the uses for which the protected health information was
authorized.

(e) The General Counsel of the U.S. Department of Defense will comply

with the requirements of subparagraphs (b), (c), and (d), above.
The General Counsel also will prepare a report, consistent with the
requirements of subparagraphs (d)(i) through (d)(iv), above, and
will forward it to the Department of Justice where it will be
incorporated into the Department's annual report to the President.
Sec. 4. Exceptions.

(a) Nothing in this Executive Order shall place a restriction on the

derivative use of protected health information that was obtained by
a law enforcement agency in a non-health oversight investigation.

(b) Nothing in this Executive Order shall be interpreted to place a

restriction on a duty imposed by statute.

(c) Nothing in this Executive Order shall place any additional

limitation on the derivative use of health information obtained by
the Attorney General pursuant to the provisions of 18 U.S.C. 3486.

(d) This order does not create any right or benefit, substantive or

procedural, enforceable at law by a party against the United
States, the officers and employees, or any other person.